You Have a Security Problem

If you see the above message popping up on your system, you most certainly do. The creators of Antivirus 2008 have updated their system of delivering fraudulent and inaccurate alerts to users around the world, following up their 2008 money maker with Antivirus 2009:

We’ve been watching users get slammed by (and TF-protected from) another set of phony codec files, like “codecpack.v.1.0.0.exe”, or after its download, “codecpack.v.1.0.0[1].exe”. These files kick off the first of the innaccurate warnings like the ones above and download additional content. We’re seeing downloads and execution of “AV2009Install_77040502.exe”, leading to a slew of phony detections and messages. Don’t bother paying to clean up your system with these guys. Just to persist on the system, they often cannot be removed using the standard Windows Add/Remove control applet — there is no uninstall listing.And don’t believe the pop-up warnings like “Adult content traces found on your PC”. They display warnings of adult content that is not present on our lab system as well, listing links to adult sites that do not exist:

14 Responses to You Have a Security Problem

I hit the same issue today. Generally my laptop is clean because I have a pretty good anti-virus installed.

Anyways, I couldn’t wait for the full scan to complete. Started googleling.

I actually started inspecting the processes running, using Process Explorer.

Found the following processes to be fishy, 7F.tmp and 7D.tmp.exe. Did some research online. Moved them to a different directory and restarted my machine. And the icon on the task bar was gone. Stopped getting the popups.

Anyways, this solved the problem. Now I will anyways do an overnight scan to confirm it.

Thanks for your comment. Unfortunately, we’ve seen that same filename (7.tmp) used by a zbot variant recently, which can have some pretty bad implications. Be sure to scan your system, and look for any directories with “wsnpoem” in them. Hopefully, 7.tmp really is just a temp file used by the downloader/fakealert on your system.

I’d like to know, if possible, what measures the research team has in mind against these types of threats. From what I’ve seen these trojans often exhibit very little in terms of behavior, leaving very little traces for a behavior blocker like TF to detect.

I gave both “Malwarebytes” and “SUPERAntiSpyware” a try. Both detected and logged antispyware 2008 under threats, but after completing the quarantine and restart process, failed to get rid of the popups. I did find an entry in my browser history tagged as “LcodePlus.v.1.0.20081.exe.” It is located right in the time slot where I picked this thing up. It’s redirect website is “http://soft-upgrade-network.com/LcodecPlus.v.1.0.20081.exe.” A search on the computer did not turn up anything under that. Does anyone have any further suggstions. Unfortunately, I am not very skilled in computer files, logs, and registry use and am very reluctant to make changes by deleting anything. Thanks, John

This is something i found and got rid of the problem hope will help as much as it helped me. Pay attention on how to find the file and how to delete it oh by the way if you also have a file under the name xxx8227 you should also delete it the same way you deleted xxx41

Overviewxxx41.exe is a malware-associated executable file. Legitimate executable files are used to launch programs in Windows. Malware-associated executable files are automatically run from registry autorun locations and the Windows startup folder to execute malicious code.

Location of xxx41.exe and Associated MalwareCheck whether xxx41.exe is present in the following locations:

C:\Documents and Settings\UserName\Local Settings\Temp\xxx41.exe If you find xxx41.exe in these locations, your computer is very likely to be infected with the following malware:

Win32.ExpDwnldr Notes:

You can check if xxx41.exe is associated with the malware listed above by running a free scan in Exterminate It!. You can easily remove all the files listed above with Exterminate It!. IMPORTANT: Malware files can be camouflaged with the same file names as legitimate files. The xxx41.exe file is associated with malware only if found in the locations listed above.

Why Is It Important to Remove Malware Files?It is imperative that you delete malware-associated files as soon as possible because they can be used – or are already being used – to inflict serious damage on your PC, including:

Disrupting the normal functioning of the operating system or rendering it completely useless. Hijacking valuable private information (credit card numbers, passwords, PIN codes, etc.) Directing all your Web searches to the same unwanted or malicious sites. Dramatically slowing down your computer. Gaining total control of your PC to spread viruses and trojans and send out spam.

How to Remove xxx41.exeTo enable deleting the xxx41.exe file, terminate the associated process in the Task Manager as follows: Right-click in the Windows taskbar (a bar that appears along the bottom of the Windows screen) and select Task Manager on the menu. In the Tasks Manager window, click the Processes tab. On the Processes tab, select xxx41.exe and click End Process. Using your file explorer, browse to the file using the paths listed in Location of xxx41.exe and Associated Malware. Select the file and press SHIFT+Delete on the keyboard. Click Yes in the confirm deletion dialog box. Repeat steps 2-4 for each location listed in Location of xxx41.exe and Associated Malware. Notes:

The deletion of xxx41.exe will fail if it is locked; that is, it is in use by some application (Windows will display a corresponding message). For instructions on deleting locked files, see Deleting Locked Files. The deletion of xxx41.exe will fail if your Windows uses the NT File System (NTFS) and you have no write rights for the file. Request your system administrator to grant you write rights for the file. Delete xxx41.exe Automatically.

Deleting Locked FilesYou can delete locked files with the RemoveOnReboot utility. You can install the RemoveOnReboot utility from here.

After you delete a locked file, you need to delete all the references to the file in Windows registry.

To delete a locked file:

Right-click on the file and select Send To -> Remove on Next Reboot on the menu. Restart your computer. The file will be deleted on restart.

Note: In the case of complex viruses that can replicate themselves, malware files can reappear in the same locations even after you have deleted those files and restarted your computer. Exterminate It! can effectively eradicate such viruses from your computer.

To remove all registry references to a malware file:

On the Windows Start menu, click Run. In the Open box, type regedit and click OK. The Registry Editor window opens. On the Edit menu, select Find. In the Find dialog box, type FILENAME. The name of the first found registry value referencing xxx41.exe is highlighted in the right pane of the Registry Editor window. Right-click the registry value name and select Delete on the menu. Click Yes in the Confirm Value Delete dialog box. To delete all other references to xxx41.exe, repeat steps 4-6. IMPORTANT: Malware files can masquerade as legitimate files by using the same file names. To avoid deleting a harmless file, ensure that the Value column for the registry value displays exactly one of the paths listed in Location of xxx41.exe and Associated Malware

I got the problem last night around 9pm. Driving me nuts. Since I’ve had McAfee, I really haven’t had to worry about viruses and such on my computer. I’m a little computer savvy, but not enough to try and follow some of these rather complicated methods for deleting this thing. It is gone, so far. And seemed to be rather simple.

I opened my task manager, and selected the “processes” tab. Right at the very top was a process that was open which was ~tmpb.exe . I didn’t want to go deleting things that I didn’t know what they were. So, I went to start and Search. I typed in the file name, and it came up under “documents and settings” like a previous post mentioned. I right clicked on it, and found that it was “created” right when all this B.S. started. So, I “ended the process” in the task manager. And then right click and “deleted” it from the search result. SO far it has worked. It took the icon away instantly. If it comes back, I’ll probably go look for another file just the same. Good luck.

Yeah, it came back. Is there any way in the world to get some program to remove these things for free? What good is a “free scan” if you have to pay for them to be removed. I will not pay for one of them programs, whether someone swears it works or not. I just won’t. But, manually, just really isn’t gonna work, plus will take SO long. I’d love it if there was actually a way to just get rid of this stupid thing.

Yay! I did it. It was very easy. I typed in the name of this file that kept showing back up every time I restarted my computer, and googled it. I found this site Prvx.com which was another one of those stupid free scan thing. They claimed they’d clean your computer to. But it never is free. So, when it’s all done scanning, it did indeed find three files that have been buggin’ around on my computer. Then, since you can’t really copy and paste. I opened notepad and litterally typed out the complete file names.

Then I copy and pasted what I typed into the search on my computer, found them really fast, and erased them. All three of them.

Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes’ Anti-MalwareLaunch Malwarebytes’ Anti-MalwareThen click Finish. MBAM will automatically start and you will be asked to update the programbefore performing a scan. If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.

On the Scanner tab: Make sure the “Perform Quick Scan” option is selected. Then click on the Scan button.The next screen will ask you to select the drives to scan. Leave all the drives selectedand click on the Start Scan button. The scan will begin and “Scan in progress” will show at the top. It may take some time to complete so please be patient. When the scan is finished, a messagebox will say “The scan completed successfully. Click ‘Show Results’ to display all objects found”.Click OK to close the message box and continue with the removal process. Back at the main Scannerscreen, click on the Show Results button to see a list of any malware that was found. Make surethat everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) The logis automatically saved and can be viewed by clicking the Logs tab in MBAM.Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.Click OK to either and let MBAM proceed with the disinfection process.If asked to restart the computer, please do so immediately.Failure to reboot will prevent MBAM from removing all the malware.